Windows 10: If you want a highly secure device, follow these rules, says Microsoft

Microsoft has published a new standard for creating a very secure Windows 10 machine.
Written by Liam Tung, Contributing Writer

Microsoft has released a new document explaining the minimum hardware and firmware requirements to create a "highly secure" Windows 10 device.

If you've got a Surface Pro 4, which has a sixth-generation Intel processor, it doesn't meet Microsoft's newly published standard.

"Systems must be on the latest, certified silicon chip for the current release of Windows," Microsoft notes on the issue of processor generations.

These chips includes Intel's seventh-generation Intel Core i3, i5, i7, i9, M3, and Xeon processors, as well as current Intel Atom, Celeron and Pentium processors.

The processor must have a 64-bit architecture, since Windows 10's virtualization-based security (VBS) requires the Windows hypervisor and this only works on 64-bit processors or ARM v8.2 CPUs.

Several important Windows 10 security features that help defend against advanced attackers rely on VBS, such as Windows Defender Credential Guard, Windows Defender Device Guard, and Hypervisor-Enforced Code Integrity (HVCI).

Microsoft has also laid out minimum requirements to support virtualization. The processor needs to have Intel VT-d, AMD-Vi or ARM64 SMMUs to handle the required Input-Output Memory Management Unit (IOMMU) device virtualization.

To support virtual-machine extensions with second-level address translation (SLAT), the system needs Intel Vt-x with Extended Page Tables (EPT), or AMD-v with Rapid Virtualization Indexing (RVI).

The Windows 10 device also needs Intel PTT, AMD, or a discrete Trusted Platform Module from Infineon, STMicroelectronics, or Nouvoton to support the requirement for Trusted Platform Module version 2.0.

Microsoft demands that systems implement cryptographically verified platform boot. This requires Intel Boot Guard in Verified Boot mode, or AMD Hardware Verified Boot, or an equivalent solution developed by an OEM.

Finally, the system needs to have at least 8GB of RAM. Microsoft doesn't explain why this is required.

As noted by BleepingComputer's founder, Lawrence Abrahams, it is possible to find a cheap laptop that meets all these hardware requirements, such as ASUS P-Series P2540UA-AB51, which is available for $500 on Amazon. However, many consumer products probably won't meet all these requirements.

Microsoft has laid out a number of firmware requirements too, including a stipulation that the firmware implements Unified Extension Firmware Interface (UEFI) version 2.4 or later, that all drivers comply with the HVCI, and that systems support the Windows UEFI Firmware Capsule Update specification.


It's possible to find a cheap laptop that meets all Microsoft's requirements for a highly secure Windows 10 device, but many consumer products probably won't measure up.

Image: ZDNet/Microsoft

Previous and related coverage

Windows 10: Here's how Microsoft thinks Defender Security Center will make life safer

Microsoft has outlined how its new security app, due in the Creators Update, will bring together all Windows 10 security information and won't prevent you from using third-party antivirus.

Windows 10 tip: Take control of Microsoft account security and privacy settings

If you're signing in to Windows 10 with a Microsoft account, you can access important settings from an online dashboard. Here are direct shortcuts to options for security and privacy, as well as a page that logs attempts to hack your Microsoft account.

Windows 10 power tips: Secret shortcuts to your favorite settings [Tech Pro Research]

Ed Bott shares dozens of commands that will take you to the Settings pages you need to visit.

Read more about Windows 10 security

Editorial standards